A year ago, the attack on SolarWinds brought software supply chain attacks to the forefront of the news. Now, every week there are new incidents. To make matters worse, corporations and government institutions defend themselves against attacks by traditional cybercriminals and nation states with big budgets and many resources, making their campaigns difficult to stop.
Any organization can fall victim to a technology supply chain attack, but managed service providers (MSPs) in particular offer large attack surfaces that make them high-value targets for cybercriminals. On average, an MSP can manage the IT operations of 100 companies; therefore, criminals only have to hack an MSP to gain access to these 100 clients.
Research suggests that 53% of companies feel a false sense of security when it comes to supply chain attacks, making them an easy target. Many do not really understand the nature of these threats and view the use of "known and trusted software" as a form of protection. In the first half of 2021, 292 organizations were victims of this type of attack, affecting approximately 5,5 million people.
Acronis, the cyber protection company, recently hosted a panel discussion at Microsoft Inspire where four renowned cybersecurity experts explored the challenges of protecting Microsoft 365 environments. Microsoft, including MSPs and small and medium-sized businesses (SMBs), should take advantage of these advanced attacks.
“Supply chain attacks exploit the trust relationship a company has with its software vendor,” said Candid Wüest, vice president of cyber protection research at Acronis, “if a cybercriminal spends enough time and money on a given target , any organization can be hacked. Fortunately, Microsoft uses a zero-trust approach, which has mitigated the damage caused by these breaches. While Microsoft admits that unauthorized people had read access to its code, no one had write access to modify its code.
Zero trust means that you never trust anything or anyone inside or outside the default network. It is based on the principle of least privilege by granting only the necessary rights to a user to do their job. The software verifies each access attempt.
"The first lesson to be learned from these attacks is that all companies should implement a zero trust approach," Wüest said. “For example, open source libraries and toolkits that a company uses can be compromised. Furthermore, criminals can inject code into your website's Java scripts. Should a company monitor their websites to make sure these java scripts are not being modified? The answer is yes, but many organizations don't.
"The second lesson," he continued, "is to make sure you have visibility into the attack. Would you know if your data was being extracted? For many organizations, the answer is no.
Keatron Evans, Principal Security Researcher, Trainer, and Author at the InfoSec Institute, added: "Another important lesson is that all companies need to ensure that their IT staff are trained on how to properly respond to and handle a breach."
Evans discussed a case where a large MSP suffered a supply chain type breach. His code was compromised, affecting hundreds of his clients. After the breach, the MSP was advising their clients on incident response but unfortunately they were giving them the wrong instructions. Evans said: “It has exacerbated a situation that was already bad. MSPs need to make sure they really understand how to handle an incident.
Many supply chain attacks target larger tech players, but the fallout from the attack can compromise both MSPs and SMBs. Often the target company has large security budgets and advanced processes, but the attackers are extremely sophisticated.
“With many supply chain attacks, the average MSP and SMB are down the street spectators at a superhero movie where Superman battles a giant villain,” said Scott Bekker, Editorial Director, Redmond Channel Partner and Converge 360. “All MSPs/SMBs can do is try not to get stepped on.
To ensure they don't get trampled when a supply chain attack occurs, MSPs and SMBs need to implement a zero-trust approach, put the right systems and processes in place to gain visibility into an attack, and train their IT staff on incident response. strategies.
Get familiar with zero trust. For more information, visit acronis.com
Same.
Copyright © 2022 IDG Communications, Inc.